Thanks for working on alignment here!! On Tue, Nov 29, 2022 at 7:30 AM 'Harald Alvestrand' via blink-dev < blink-dev@chromium.org> wrote:
> This IDNA 2008 author applauds your decision. > > > On Mon, Nov 28, 2022 at 10:16 PM Mustafa Emre Acer <mea...@chromium.org> > wrote: > >> Contact emailsmea...@chromium.org >> >> Specificationhttps://unicode.org/reports/tr46 >> >> Summary >> >> Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning >> Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 >> in Transitional Mode in URL processing. The main difference between >> Transitional and Non-Transitional Mode is the handling of four characters >> known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK >> SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width >> non-joiner). In Transitional mode, deviation characters are handled the >> same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are >> deleted. In Non-Transitional mode, domains containing these characters are >> allowed in domain names without mapping, and thus can resolve to different >> IP addresses. For example, typing "faß.de <http://fass.de>" in Chrome >> and Firefox opens different sites today. Enabling Non-Transitional IDNA in >> Chrome will allow deviation characters in domain names. Firefox and Safari >> already made this change in 2016 and continue to use Non-Transitional URL >> processing. >> >> >> Blink componentUI>Security>UrlFormatting >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3ESecurity%3EUrlFormatting> >> >> Search tagsidna <https://chromestatus.com/features#tags:idna> >> >> TAG reviewThis feature addresses conformance to an existing spec and >> other browsers already do it. >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> >> *Gecko*: Shipped/Shipping ( >> https://bugzilla.mozilla.org/show_bug.cgi?id=1218179) >> >> *WebKit*: Shipped/Shipping ( >> https://trac.webkit.org/changeset/208902/webkit) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> Security >> >> This change introduces a potential security issue where a domain pointing >> to one IP may start pointing to another IP. As an example, IDNA2003 and >> Transitional IDNA-2008 maps faß.de <http://fass.de> to fass.de (ß is a >> deviation character). Non-Transitional IDNA2008 maps it to xn--fa-hia.de >> which is the punycode representation of faß.de <http://fass.de>. Typing " >> faß.de <http://fass.de>" in Chrome and Firefox currently opens different >> sites. Main mitigations discussed were domain bundling / blocking where >> registrars bundle domain names (e.g. registering faß.de <http://fass.de> >> along with fass.de) or block the alternative domain name (e.g. disallow >> faß.de <http://fass.de> if fass.de is registered). According to data >> from Chrome 106 and 107: - Less than 0.001% of user-typed or pasted main >> frame navigations had a deviation character in the hostname. This excludes >> link clicks and renderer initiated navigations, so the percentage of >> affected domains among all navigations is even lower. - Only one hostname >> had a deviation character and had more than 50 impressions over a 28 day >> period (fußball.de <http://fussball.de>). Both fußball.de >> <http://fussball.de> and fussball.de have the same owner so this change >> doesn't affect them. Thus, typing domain names with deviation characters is >> very rare. Domain bundling / blocking aren't blockers as this change won't >> have a significant impact on navigations. Finally, Firefox and Safari have >> been using Non-Transitional IDNA 2008 since 2016 without issues. >> >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> >> >> Debuggability >> >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?No >> > Why not? > >> >> DevTrial instructions >> https://bugs.chromium.org/p/chromium/issues/detail?id=694157#c70 >> >> Flag nameuse-idna2008-non-transitional >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=694157 >> >> Launch bughttps://launch.corp.google.com/launch/4224656 >> >> Estimated milestones >> DevTrial on desktop 110 >> DevTrial on Android 110 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5105856067141632 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfViyVcKDpez4qHP520Fz0519XOEhRz_Y4LydaTZ1ND%2BRA%40mail.gmail.com.
